Gartner analyst Anton Chuvakin puts forward three possible ways to make it work

National Harbor, Md. -- Security monitoring — the type involving traditional security information and event management (SIEM) — can be done in some public cloud environments, according to Gartner. And if you’re using public cloud services, it’s time to think about doing it.

Security monitoring of assets that the enterprise has placed in cloud is still not a common practice, but it really should be, said Gartner analyst Anton Chuvakin during his presentation this week at the Gartner Security and Risk Management Summit. There is always a “loss of control” when turning corporate data assets over to the cloud, Chuvakin says, but “you can compensate by increasing the visibility that comes with collection of logs and network traffic.”

Most security monitoring today is done on-premises within the enterprise network using SIEM, intrusion-prevention systems (IPS) and data-loss prevention tools. In Amazon Web Services, he said, it’s possible to collect logs and copy them back to the on-premises SIEM.

The benefits are that familiar tools are in use and you can obtain a unified view of both the cloud and the traditional environment, he said. On the other hand, there might be bandwidth restraints that make this hard or that the SIEM tools present “conflicts and incompatibilities” in the cloud environment. Chuvakin said enterprise security managers have to ask the question whether their SIEM tool is “cloud-ready” to collect data, which may be presented in unfamiliar form as instances and dynamic provisioning.

Some SIEM tools are able to make use of specific software-as-a-service APIs as well to collect logs from public cloud services. Tools from IBM and HP ArcSight, for example, can now monitor Salesforce, Chuvakin noted.

A second approach to security monitoring of cloud assets is to load a SIEM tool directly into an IaaS to have “on-IaaS monitoring,” Chuvakin said. The advantages here are that the tools are familiar and there’s no high bandwidth requirement. However, there could possibly be high storage costs in the cloud, and in the end, there’s a lack of a unified view on on-premises and on-IaaS monitoring.

A third possibility is to obtain the data from the cloud service, if it’s available, and hand it to a managed security service provider such as Splunk Storm.

He said it makes sense to ask why the cloud service providers are not contributing more to the security monitoring process and making SIEM data more available since it’s obvious their customers have a need for this. Some, such as FireHost, which offer a way for their customers to use their SIEM in their cloud hosting service, said Chuvakin.